Document: ISO/TC 176/SC 2/N 630R3

Our ref

Secretariat of ISO/TC 176/SC 2 Date: 15 October 2008

ISO 9000 Introduction and Support Package:

Guidance on 'Outsourced Processes'

In conjunction with the publication of the International Standard ISO 9001:2008, ISO/TC
176/SC 2 has published a number of guidance modules:

ƒ Guidance on ISO 9001:2008 Sub-clause 1.2 'Application'

ƒ Guidance on the Documentation requirements of ISO 9001:2008
ƒ Guidance on the Terminology used in ISO 9001 and ISO 9004
ƒ Guidance on the Concept and Use of the Process Approach for management systems
ƒ Guidance on 'Outsourced Processes'

Together these are being made available as the ISO/TC 176/SC 2 ”ISO 9000 Introduction
and Support Package”.

Feedback from users of the standards will be used to determine whether additional modules
should be developed, or if these published modules should be revised.

The modules, and further information on the ISO 9001:2008 standard, may be downloaded
from the following web sites:

www.iso.org
www.iso.org/tc176/sc2

C Corrie
For the BSI Secretariat of
ISO/TC 176/SC 2

1
BSI Standards, 389 Chiswick High Road, London W4 4AL Telephone: + +44 208 996 9000 Fax: + +44 208 996 7400
ISO 9000 Introduction and Support Package module:
Guidance on 'Outsourced Processes'

1) Introduction

The aim of this document is to provide guidance on the intent of ISO 9001:2008 clause 4.1,
regarding the control of outsourced processes.

ISO 9001:2008 clause 4.1 states:

“Where an organization chooses to outsource any process that affects product conformity to
requirements, the organization shall ensure control over such processes. The type and
extent of control to be applied to these outsourced processes shall be defined within the
quality management system.

NOTE 1 Processes needed for the quality management system referred to above include
processes for management activities, provision of resources, product realization
and measurement, analysis and improvement.

NOTE 2 An “outsourced process” is a process that the organization needs for its quality
management system and which the organization chooses to have performed by an external
party.

NOTE 3 Ensuring control over outsourced processes does not absolve the organization of
the responsibility of conformity to all customer, statutory and regulatory
requirements. The type and extent of control to be applied to the outsourced
process may be influenced by factors such as:

a) the potential impact of the outsourced process on the organization’s capability

to provide product that conforms to requirements;

b) the degree to which the control for the process is shared;

c) the capability of achieving the necessary control through the application of

clause 7.4.”

2) Guidance

2.1) What is an “outsourced process”?

The Oxford English Dictionary defines the verb “outsource” as “to obtain….. by contract from
a source outside the organization or area; to contract (work) out”

As now defined in ISO 9001:2008 Sub clause 4.1 NOTE 2, an “outsourced process” is a
process that the organization needs for its quality management system and which the organization
chooses to have performed by an external party.

Note: ISO 9000:2005 clause 3.4.1 defines “process” as “set of interrelated or interacting activities
which transforms inputs into outputs”.

An outsourced process can be performed by a supplier that is totally independent from the
organization, or which is part of the same parent organization (e.g. a separate department or
division that is not subject to the same quality management system). It may be provided
within the physical premises or work environment of the organization, at an independent site,
or in some other manner.

© ISO 2008 – All rights reserved 2 ISO/TC 176/SC 2/N 630R3

ISO 9000 Introduction and Support Package module:
Guidance on 'Outsourced Processes'

2.2) Intent of Clause 4.1

The intent of Clause 4.1 of ISO 9001:2008 is to emphasize that when an organization
chooses to outsource (either permanently or temporarily) a process that affects product
conformity with requirements (see ISO 9001:2008 clause 7.2.1), it can not simply ignore this
process, nor exclude it from the quality management system.
The organization has to demonstrate that it exercises sufficient control to ensure that this
process is performed according to the relevant requirements of ISO 9001:2008, and any
other requirements of the organization’s quality management system. The nature of this
control will depend on the importance of the outsourced process, the risk involved, and the
competence of the supplier to meet the process requirements. Based on the nature of the
control, it should consider the processes referred to quality management system for
management activities, provision of resources, product realization and measurement,
analysis and improvement. The outsourced organization does not necessarily have to have a
certified Quality Management System, but it has to demonstrate the capability of the
previously mentioned processes.
Outsourced processes will interact with other processes from the organization's quality
management system (these other processes may be carried out by the organization itself, or
may themselves be outsourced processes). These interactions also need to be managed
(see ISO 9001:2008 clause 4.1 (a) and (b)).

2.3 Control of outsourced processes

2.3.1) The acquisition of outsourced processes will normally be subject to the capability of
achieving the necessary control through the application of requirements of both ISO
9001:2008 clause 7.4 (Purchasing) and clause 4.1 (General Requirements)

As mentioned in the Note, in some situations, the organization might not “purchase” the
outsourced process in the traditional sense; it might, for example, receive the service from a
corporate head office or from another division within a group of organizations, without any
monetary transaction taking place (see 2.1 above). Under these circumstances, however,
ISO 9001:2008 Clauses 7.4 and 4.1 are still applicable.

2.3.2) There are two situations that frequently need to be considered when deciding the
appropriate level of control of an outsourced process:

a) When an organization has the competence and ability to carry out a process, but
chooses to outsource that process (for commercial or other reasons).

In this situation the process control criteria should already have been defined, and
can be transposed into requirements for the supplier of the outsourced process, if
necessary.

b) When the organization does not have the competence to carry out the process itself,
and chooses to outsource it.

In this situation the organization has to ensure that the controls proposed by the
supplier of the outsourced process are adequate. In some cases it may be
necessary to involve external specialists in making this evaluation.

2.3.3) It may be convenient, or even necessary, to define some or all of the methods to be
used for control of the outsourced processes in a contract between the organization and the

© ISO 2008 – All rights reserved 3 ISO/TC 176/SC 2/N 630R3

ISO 9000 Introduction and Support Package module:
Guidance on 'Outsourced Processes'

supplier. The potential impact of the outsourced process is based on the outsourcing’s
capability to provide product that conforms to requirements. Care should be taken, however,
not to inhibit the supplier from proposing innovations to the outsourced process.
The organization’s control of the outsourced process has to be based on the need for
product conformity to requirements.
Ensuring control over outsourced processes does not absolve the organization of the
responsibility of conformity to all customer, statutory and regulatory requirements.

2.3.4) In some situations it might not be possible to verify the output from the outsourced
process by subsequent monitoring or measurement. In these cases, the organization needs
to ensure that the control over the outsourced process includes process validation in
accordance with ISO 9001:2008 clause 7.5.2.

© ISO 2008 – All rights reserved 4 ISO/TC 176/SC 2/N 630R3